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Thursday 17 J anuary 2019 


Members: 


Ailsa Beaton (chair) 
Roger Barlow 
Jane McCall 


Attendees: 


1CO 

Elizabeth Denham 
Paul Arnold 
Louise Byers 
Heather Dove 
Andrew Hubert 
Jonathan Bamford 


Jo Pedder 


Internal Auditors 
Peter Cudlip 
Michaela Spiller 


External Auditors 
Matthew Atkinson 
Mark Colman 
David Eagles 


Secretariat 
Chris Braithwaite 
Caroline Robinson 


Non-Executive Director 
Independent Audit Committee member 
Non-Executive Director 


Information Commissioner 

Deputy Chief Executive Officer 

Director of Corporate Affairs and Governance 
Head of Finance 

Director of Resources 

Director of Strategic Policy (Domestic) (for 
item 6) 

Head of Engagement (for item 6) 


Mazars 
Mazars 


National Audit Office (NAO) (by telephone) 
BDO 
BDO 


Senior Corporate Governance Manager 
Corporate Governance Officer 


1. 


Introductions and apologies 

1.1. Apologies were received from Sid Sidhu (NAO). 
Declaration of interests 

2.1% No declarations were made. 
Matters arising from the previous meeting 

3.1. The minutes of the previous meeting were agreed. 


3:2; There was one outstanding action from the previous 
meeting, regarding requesting Non-Executive Directors to 
provide a quarterly return of gifts and hospitality they had 
received. Chris Braithwaite confirmed that this action would 
be completed by the end of January 2019. 


Deputy Chief Executive Officer’s update 


4.1. Paul Arnold updated the Committee on major issues 
affecting the ICO. He noted that Elizabeth Denham had been 
awarded a CBE in the 2019 New Year’s Honours and the 
Committee congratulated her on this honour. Elizabeth 
Denham commented that the honour reflected the excellent 
work of everyone associated with the ICO. 


4.2. One of the key areas of focus for the ICO since the 
Committee’s last meeting had been preparation for the UK’s 
exit from the EU. There continued to be close liaison with 
DCMS and appropriate guidance on a potential “no deal” 
scenario had been developed and released before Christmas. 
Plans were in place to deal with increased demand from the 
public and businesses for ICO services in the run up to the EU 
Exit. 


4.3. Recruitment to additional posts within the ICO 
continued. The recent staff survey had indicated that 89% of 
staff were “proud to work for the ICO” and staff turnover was 
now at 8%. The new pay progression policy had now been 
agreed and would be implemented from April. A full briefing 
on this policy would be provided to the Management Board at 
their next meeting. The Audit Committee expressed their 
gratitude to all staff who had been involved in the review of 
the pay policy. 


5. Risk and Opportunity Management 


5.1. Louise Byers presented a report which set out the 
current Risk and Opportunity Register. The Committee noted 
the changes which had been made to the register since the 
last meeting. 


5.2. The report also provided information in relation to 
scenario planning work which had been completed since the 
Committee’s last meeting. This planning had focused on 
demand for services and availability of funding. The 
Committee welcomed the report, which was very helpful in 
identifying how the organisation would react if faced by these 
challenges. 


5.3. The Committee requested that a further report be 
provided which also considers the impact of several risks 
maturing simultaneously, along with other factors, such as 
business continuity events, on the scenarios set out within 
the report. 


Action 1: Louise Byers to submit a report to the J une 
2019 meeting to report on the further development of 
the risk scenario planning. 


6. Internal audit 


6.1. Peter Cudlip introduced a report providing an Internal 
Audit progress update, highlighting the common themes 
which had emerged from the audits which had been 
undertaken so far. 


6.2. One common theme was identified as “management 
should consider the effectiveness and general uptake of 
training across the wider organisation”. Andrew Hubert 
explained that he was not aware of any issues in relation to 
uptake of training. Mazars and Andrew Hubert agreed to 
review this and provide clarification of the theme to Audit 
Committee members. 


Action 2: Mazars and Andrew Hubert to review and 
provide clarification to Audit Committee Members of 
the common theme in relation to uptake of training. 


6.3. The Committee noted the significant expansion of the 
ICO over the last year and asked whether there was clarity 
on processes, roles and responsibilities, and that appropriate 
governance structures were now in place to take advantage 
of the additional capacity and expertise. Elizabeth Denham 
explained that a new governance structure had been agreed 
in December and was now being embedded. A report could 
be submitted to the Committee’s next meeting to set out the 
new structure. 


Action 3: Paul Arnold and Louise Byers to submit a 
report to the Committee’s next meeting setting out the 
new governance structures. 


6.4. Michaela Spiller introduced a report providing 
information of the completed audit of guidance development. 
Jonathan Bamford and Jo Pedder agreed that the audit had 
been very helpful and that they would implement the 
recommendations from the audit in line with the timescales 
set out in the report. 


6.5. Elizabeth Denham asked whether Mazars was aware of 
best practice in guidance development from their audits of 
other regulators, particularly in relation to outsourcing and 
the role of legal teams. With regard to outsourcing, Peter 
Cudlip explained that the best practice was to develop long- 
term relationships with specialists in particular areas where 
guidance may be needed. With regard to the role of legal 
teams, Mazars was aware that this was an issue experienced 
by many regulators but best practice had not yet been 
established. Peter Cudlip explained that Mazars would 
facilitate a meeting between the ICO and similar clients to 
develop best practice in this area. 


Action 4: Mazars to facilitate a meeting between the 
ICO and other similar Mazars clients to explore best 
practice of the role of legal teams in guidance 
development. 


7. People Strategy audit 


7.1. Michaela Spiller introduced a report providing 
information of the completed audit of the |CO’s People 
Strategy. In addition, Andrew Hubert provided a report which 
set out an update on the current position with the People 
Strategy. 


8. 


9. 


10. 


72s The Committee agreed that for future Internal Audit 


reports, the management response should indicate whether 
each recommendation was accepted or rejected. 


Action 5: Chris Braithwaite to ensure that future 
Internal Audit reports were consistent in stating 
whether management accepts or rejects each 
recommendation. 


Outstanding audit actions 


8.1. Chris Braithwaite reported that there were three late 


internal audit recommendations. All of these related to the 
integration of the assurance map in to the risk and 
opportunity register. These actions would be completed by 
the end of April 2019. 


External audit 


9.1. David Eagles presented a report which set out the 


details of the proposed approach for the audit of the 2018/19 
financial statements. 


9.2. The Audit Committee agreed that: 


- the assessment of the risks of material misstatement to 
the financial statements, set out within the report, was 
complete; 

- management’s response to these risks was adequate; and 

- the proposed audit plan to address these risks was 
appropriate; 

- the Committee had sufficient oversight of the effectiveness 
of internal control; and 

- the Committee was not aware of: any potential for 
material misstatement due to fraud or the |CO’s risk 
profile; of non-compliance with laws, regulations or 
internal policies; or of any other matters which may 
influence the audit of the financial statements. 


2018/ 19 Financial Statements 


10.1. Heather Dove provided an oral update on the plan for 


the completion of the 2018/19 Financial Statements, which 
was on schedule. She explained that a creditor would be 
listed within the Financial Statements for staff pay, as back- 
pay as a result of the implementation of the pay progression 
scheme would not be finalised during the financial year. She 
also explained that the ICO had discussed the pension 


information required with MyCSP, to ensure that this aspect 
of the Financial Statements process went smoothly for 
2018/19. 


11. Finance 


11.1. Heather Dove introduced the November finance report, 
which had been circulated in advance of the meeting. She 
also provided a verbal update regarding the December 2018 
position, which was in line with the estimated position. 


12. Fraud, Whistleblowing and security - Q1and Q2, 2018/19 
12.1. Chris Braithwaite presented a report which provided an 
update on whistleblowing and security incidents in Q3 of 
2018/19. The Committee was given further information 
regarding the medium impact incident. 


13. Any other business 


13.1. There were no items of other business. 


